🩹 [Patch]: Prevent Concurrent Access Token Refresh with Mutex Lock (#393)

This pull request introduces significant updates to the GitHub
authentication and API handling mechanisms, improving token management,
adding support for GitHub App private keys, and enhancing concurrency
handling. The changes also include adjustments to data types and
configurations for better precision and compatibility.

- Fixes #392

### Authentication Updates

* Added support for GitHub App private key handling by introducing a new
`PrivateKey` property in `AppGitHubContext` and ensuring it is securely
processed during authentication.
* Enhanced token refresh logic to handle both user access tokens and
GitHub App PEM tokens, with mutex-based concurrency control for token
updates.

### API Handling Improvements

* Removed redundant token refresh logic from `Invoke-GitHubAPI` and
centralized it in the context resolution process for better
maintainability.

### Configuration and Type Adjustments

* Changed `AccessTokenGracePeriodInHours` from `int` to `double` for
increased precision in token expiration calculations.
* Updated time-related calculations to use `[datetime]::Now` instead of
`Get-Date` for consistency across the module.

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: MariusStorhaug <[email protected]>
Co-authored-by: Marius Storhaug <[email protected]>

Author: Copilot

src/classes/public/Config/GitHubConfig.ps1

@@ -3,7 +3,7 @@
     [string] $ID
 
     # The access token grace period in hours.
-    [System.Nullable[int]] $AccessTokenGracePeriodInHours
+    [System.Nullable[double]] $AccessTokenGracePeriodInHours
 
     # The default context.
     [string] $DefaultContext

src/classes/public/Context/GitHubContext/AppGitHubContext.ps1

@@ -2,6 +2,9 @@
     # Client ID for GitHub Apps
     [string] $ClientID
 
+    # The private key for the app.
+    [securestring] $PrivateKey
+
     # Owner of the GitHub App
     [string] $OwnerName
 
@@ -36,6 +39,7 @@
         $this.HttpVersion = $Object.HttpVersion
         $this.PerPage = $Object.PerPage
         $this.ClientID = $Object.ClientID
+        $this.PrivateKey = $Object.PrivateKey
         $this.OwnerName = $Object.OwnerName
         $this.OwnerType = $Object.OwnerType
         $this.Permissions = $Object.Permissions

src/functions/private/Auth/Context/Resolve-GitHubContext.ps1

@@ -56,12 +56,24 @@
         if ($Context -is [string]) {
             $contextName = $Context
             Write-Verbose "Getting context: [$contextName]"
-            return Get-GitHubContext -Context $contextName
+            $Context = Get-GitHubContext -Context $contextName
         }
 
         if ($null -eq $Context) {
             Write-Verbose 'Context is null, returning default context.'
-            return Get-GitHubContext
+            $Context = Get-GitHubContext
+        }
+
+        switch ($Context.TokenType) {
+            'ghu' {
+                Write-Verbose 'Using GitHub User Access Token.'
+                $Context = Update-GitHubUserAccessToken -Context $Context -PassThru
+            }
+            'PEM' {
+                Write-Verbose 'Using GitHub App PEM Token.'
+                $jwt = Get-GitHubAppJSONWebToken -ClientId $Context.ClientID -PrivateKey $Context.PrivateKey
+                $Context.Token = $jwt.Token
+            }
         }
 
         # TODO: Implement App installation context resolution

src/functions/private/Auth/DeviceFlow/Test-GitHubAccessTokenRefreshRequired.ps1

@@ -27,9 +27,9 @@
 
     process {
         $tokenExpirationDate = $Context.TokenExpirationDate
-        $currentDateTime = Get-Date
-        $remainingDuration = [datetime]$tokenExpirationDate - $currentDateTime
-        $remainingDuration.TotalHours -lt $script:GitHub.Config.AccessTokenGracePeriodInHours
+        $remainingDuration = [datetime]$tokenExpirationDate - [datetime]::Now
+        $updateToken = $remainingDuration.TotalHours -lt $script:GitHub.Config.AccessTokenGracePeriodInHours
+        $updateToken
     }
 
     end {

src/functions/private/Auth/DeviceFlow/Update-GitHubUserAccessToken.ps1

@@ -20,7 +20,7 @@
         [Refreshing user access tokens](https://docs.github.com/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens)
     #>
     [CmdletBinding(SupportsShouldProcess)]
-    [OutputType([securestring])]
+    [OutputType([GitHubContext])]
     [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWriteHost', '', Justification = 'Is the CLI part of the module.')]
     [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '', Justification = 'The tokens are recieved as clear text. Mitigating exposure by removing variables and performing garbage collection.')]
     [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidLongLines', '', Justification = 'Reason for suppressing')]
@@ -32,7 +32,15 @@
 
         # Return the new access token.
         [Parameter()]
-        [switch] $PassThru
+        [switch] $PassThru,
+
+        # Suppress output messages.
+        [Parameter()]
+        [switch] $Silent,
+
+        # Timeout in milliseconds for waiting on mutex. Default is 30 seconds.
+        [Parameter()]
+        [int] $TimeoutMs = 30000
     )
 
     begin {
@@ -42,56 +50,63 @@
     }
 
     process {
-        Write-Verbose "Reusing previously stored ClientID: [$($Context.AuthClientID)]"
-        $authClientID = $Context.AuthClientID
-        $accessTokenValidity = [datetime]($Context.TokenExpirationDate) - (Get-Date)
-        $accessTokenIsValid = $accessTokenValidity.Seconds -gt 0
-        $hours = $accessTokenValidity.Hours.ToString().PadLeft(2, '0')
-        $minutes = $accessTokenValidity.Minutes.ToString().PadLeft(2, '0')
-        $seconds = $accessTokenValidity.Seconds.ToString().PadLeft(2, '0')
-        $accessTokenValidityText = "$hours`:$minutes`:$seconds"
-        if ($accessTokenIsValid) {
-            if ($accessTokenValidity.TotalHours -gt $script:GitHub.Config.AccessTokenGracePeriodInHours) {
-                if (-not $Silent) {
-                    Write-Host '✓ ' -ForegroundColor Green -NoNewline
-                    Write-Host "Access token is still valid for $accessTokenValidityText ..."
-                }
-                return
-            } else {
-                if (-not $Silent) {
-                    Write-Host '⚠ ' -ForegroundColor Yellow -NoNewline
-                    Write-Host "Access token remaining validity $accessTokenValidityText. Refreshing access token..."
+        if (Test-GitHubAccessTokenRefreshRequired -Context $Context) {
+            $lockName = "PSModule.GitHub/$($Context.ID)"
+            $lock = $null
+            try {
+                $lock = [System.Threading.Mutex]::new($false, $lockName)
+                $updateToken = $lock.WaitOne(0)
+
+                if ($updateToken) {
+                    try {
+                        $refreshTokenValidity = [datetime]($Context.RefreshTokenExpirationDate) - [datetime]::Now
+                        $refreshTokenIsValid = $refreshTokenValidity.TotalSeconds -gt 0
+                        if ($refreshTokenIsValid) {
+                            if (-not $Silent) {
+                                Write-Host '⚠ ' -ForegroundColor Yellow -NoNewline
+                                Write-Host 'Access token expired. Refreshing access token...'
+                            }
+                            $tokenResponse = Invoke-GitHubDeviceFlowLogin -ClientID $Context.AuthClientID -RefreshToken $Context.RefreshToken -HostName $Context.HostName
+                        } else {
+                            Write-Verbose "Using $($Context.DeviceFlowType) authentication..."
+                            $tokenResponse = Invoke-GitHubDeviceFlowLogin -ClientID $Context.AuthClientID -HostName $Context.HostName
+                        }
+                        $Context.Token = ConvertTo-SecureString -AsPlainText $tokenResponse.access_token
+                        $Context.TokenExpirationDate = (Get-Date).AddSeconds($tokenResponse.expires_in)
+                        $Context.TokenType = $tokenResponse.access_token -replace $script:GitHub.TokenPrefixPattern
+                        $Context.RefreshToken = ConvertTo-SecureString -AsPlainText $tokenResponse.refresh_token
+                        $Context.RefreshTokenExpirationDate = (Get-Date).AddSeconds($tokenResponse.refresh_token_expires_in)
+
+                        if ($PSCmdlet.ShouldProcess('Access token', 'Update/refresh')) {
+                            Set-Context -Context $Context -Vault $script:GitHub.ContextVault
+                        }
+                    } finally {
+                        $lock.ReleaseMutex()
+                    }
+                } else {
+                    Write-Verbose "Access token is not valid. Waiting for mutex to be released (timeout: $($TimeoutMs)ms)..."
+                    try {
+                        if ($lock.WaitOne($TimeoutMs)) {
+                            # Re-read context to get updated token from other process
+                            $Context = Resolve-GitHubContext -Context $Context.ID
+                            $lock.ReleaseMutex()
+                        } else {
+                            Write-Warning 'Timeout waiting for token update. Proceeding with current token state.'
+                        }
+                    } catch [System.Threading.AbandonedMutexException] {
+                        Write-Debug 'Mutex was abandoned by another process. Re-checking token state...'
+                        $Context = Get-Context -Context $Context.ID -Vault $script:GitHub.ContextVault
+                    }
                 }
-                $tokenResponse = Invoke-GitHubDeviceFlowLogin -ClientID $authClientID -RefreshToken ($Context.RefreshToken) -HostName $Context.HostName
-            }
-        } else {
-            $refreshTokenValidity = [datetime]($Context.RefreshTokenExpirationDate) - (Get-Date)
-            $refreshTokenIsValid = $refreshTokenValidity.Seconds -gt 0
-            if ($refreshTokenIsValid) {
-                if (-not $Silent) {
-                    Write-Host '⚠ ' -ForegroundColor Yellow -NoNewline
-                    Write-Host 'Access token expired. Refreshing access token...'
+            } finally {
+                if ($lock) {
+                    $lock.Dispose()
                 }
-                $tokenResponse = Invoke-GitHubDeviceFlowLogin -ClientID $authClientID -RefreshToken ($Context.RefreshToken) -HostName $Context.HostName
-            } else {
-                Write-Verbose "Using $Mode authentication..."
-                $tokenResponse = Invoke-GitHubDeviceFlowLogin -ClientID $authClientID -Scope $Scope -HostName $Context.HostName
             }
         }
-        $Context.Token = ConvertTo-SecureString -AsPlainText $tokenResponse.access_token
-        $Context.TokenExpirationDate = (Get-Date).AddSeconds($tokenResponse.expires_in)
-        $Context.TokenType = $tokenResponse.access_token -replace $script:GitHub.TokenPrefixPattern
-        $Context.RefreshToken = ConvertTo-SecureString -AsPlainText $tokenResponse.refresh_token
-        $Context.RefreshTokenExpirationDate = (Get-Date).AddSeconds($tokenResponse.refresh_token_expires_in)
-
-        if ($PSCmdlet.ShouldProcess('Access token', 'Update/refresh')) {
-            Set-Context -Context $Context -Vault $script:GitHub.ContextVault
-        }
-
         if ($PassThru) {
-            $Context.Token
+            return $Context
         }
-
     }
 
     end {

src/functions/public/API/Invoke-GitHubAPI.ps1

@@ -120,7 +120,6 @@ function Invoke-GitHubAPI {
 
     process {
         $Token = $Context.Token
-
         $HttpVersion = Resolve-GitHubContextSetting -Name 'HttpVersion' -Value $HttpVersion -Context $Context
         $ApiBaseUri = Resolve-GitHubContextSetting -Name 'ApiBaseUri' -Value $ApiBaseUri -Context $Context
         $ApiVersion = Resolve-GitHubContextSetting -Name 'ApiVersion' -Value $ApiVersion -Context $Context
@@ -136,18 +135,6 @@ function Invoke-GitHubAPI {
                 TokenType   = $TokenType
             } | Format-List | Out-String -Stream | ForEach-Object { Write-Debug $_ }
         }
-        $jwt = $null
-        switch ($TokenType) {
-            'ghu' {
-                if (Test-GitHubAccessTokenRefreshRequired -Context $Context) {
-                    $Token = Update-GitHubUserAccessToken -Context $Context -PassThru
-                }
-            }
-            'PEM' {
-                $jwt = Get-GitHubAppJSONWebToken -ClientId $Context.ClientID -PrivateKey $Context.Token
-                $Token = $jwt.Token
-            }
-        }
 
         $headers = @{
             Accept                 = $Accept
@@ -209,20 +196,6 @@ function Invoke-GitHubAPI {
                 Write-Debug '----------------------------------'
             }
             do {
-                switch ($TokenType) {
-                    'ghu' {
-                        if (Test-GitHubAccessTokenRefreshRequired -Context $Context) {
-                            $Token = Update-GitHubUserAccessToken -Context $Context -PassThru
-                        }
-                    }
-                    'PEM' {
-                        if ($jwt.ExpiresAt -lt (Get-Date)) {
-                            $jwt = Get-GitHubAppJSONWebToken -ClientId $Context.ClientID -PrivateKey $Context.Token
-                            $Token = $jwt.Token
-                            $APICall['Token'] = $Token
-                        }
-                    }
-                }
                 $response = Invoke-WebRequest @APICall -ProgressAction 'SilentlyContinue' -Debug:$false -Verbose:$false
 
                 $headers = @{}

src/functions/public/Auth/Connect-GitHubAccount.ps1

@@ -98,7 +98,7 @@
             Mandatory,
             ParameterSetName = 'App'
         )]
-        [string] $PrivateKey,
+        [object] $PrivateKey,
 
         # Automatically load installations for the GitHub App.
         [Parameter(
@@ -246,10 +246,13 @@
                 }
                 'App' {
                     Write-Verbose 'Logging in as a GitHub App...'
+                    if (-not($PrivateKey -is [System.Security.SecureString])) {
+                        $PrivateKey = $PrivateKey | ConvertTo-SecureString -AsPlainText
+                    }
                     $context += @{
-                        Token     = ConvertTo-SecureString -AsPlainText $PrivateKey
-                        TokenType = 'PEM'
-                        ClientID  = $ClientID
+                        PrivateKey = $PrivateKey
+                        TokenType  = 'PEM'
+                        ClientID   = $ClientID
                     }
                 }
                 'PAT' {

src/functions/public/Auth/Connect-GitHubApp.ps1

@@ -85,7 +85,6 @@
     }
 
     process {
-
         $installations = Get-GitHubAppInstallation -Context $Context
         $selectedInstallations = @()
         Write-Verbose "Found [$($installations.Count)] installations."

src/types/GitHubContext.Types.ps1xml

@@ -7,7 +7,7 @@
                 <Name>Remaining</Name>
                 <GetScriptBlock>
                     if ($null -eq $this.TokenExpirationDate) { return }
-                    New-TimeSpan -Start (Get-Date) -End $this.TokenExpirationDate
+                    New-TimeSpan -Start ([datetime]::Now) -End $this.TokenExpirationDate
                 </GetScriptBlock>
             </ScriptProperty>
         </Members>
@@ -19,7 +19,7 @@
                 <Name>Remaining</Name>
                 <GetScriptBlock>
                     if ($null -eq $this.TokenExpirationDate) { return }
-                    New-TimeSpan -Start (Get-Date) -End $this.TokenExpirationDate
+                    New-TimeSpan -Start ([datetime]::Now) -End $this.TokenExpirationDate
                 </GetScriptBlock>
             </ScriptProperty>
         </Members>

src/variables/private/GitHub.ps1

@@ -9,7 +9,7 @@ $script:GitHub = [pscustomobject]@{
         ID                            = 'Module'
         HostName                      = ($env:GITHUB_SERVER_URL ?? 'github.com') -replace '^https?://'
         ApiBaseUri                    = "https://api.$(($env:GITHUB_SERVER_URL ?? 'github.com') -replace '^https?://')"
-        AccessTokenGracePeriodInHours = 4
+        AccessTokenGracePeriodInHours = 4.0
         GitHubAppClientID             = 'Iv1.f26b61bc99e69405'
         OAuthAppClientID              = '7204ae9b0580f2cb8288'
         DefaultContext                = ''